Windows Server Hacks: Using Saved Queries to Find Locked Accounts

The usual way for an administrator to hear that a user's account has been locked out is when the user phones and complains. But occasionally locked-out accounts can signal something more nefarious.

Account lockout policies are typically configured on Active Directory-based networks in order to deter brute-force password cracking attacks. But an attacker could use such a policy to launch a denial of service (DoS) attack by simply guessing passwords randomly until a user's account becomes locked out and the user is then unable to access the network and do any work until an administrator intervenes and unlocks the account. So it can be handy to check periodically and see if any accounts have been locked out.

The straightforward way is to use the Active Directory Users and Computers console to open the properties sheet for each user's account and view the account lockout setting on the Account tab:

Note that user Carol Smith (csmith@testtwo.local) has a locked-out account. Of course, if your company has more than just a handful of users then this approach is impractical.

A different approach is to query Active Directory for any locked-out accounts. Windows Server 2003 includes a new feature called Saved Queries that can be used for just this purpose. Open the Active Directory Users and Computers console, right-click on Saved Queries in the console tree and select New --> Query. This opens the New Query box:

Type a name and description for the query, specify a query root (where in your namespace your query begins searching), and click the Define Query button to open the Find Common Queries box:

Note that by simply selecting a checkbox we can search for disabled accounts, non-expiring accounts, or days since last logon. Unfortunately, we're looking for locked-out accounts, which isn't displayed in the Common Queries box, so in the Find listbox select Custom Search instead to open the Find Custom Search box and select the Advanced tab:

Hacking the Hack

How do you create other LDAP strings like the one above to perform custom queries against Active Directory? If you're like me, you like learning on the fly, so let's figure out what kind of LDAP string would find all users whose last name is Smith.

First, let's begin by using the GUI to form the query. Open the New Query box again and click Define Query. From the Find listbox select Users, Contacts, and Groups and switch to the Advanced tab:

Click Field --> User --> Last Name, then under Condition choose Is (exactly) and type "Smith" (without the quotes) under Value. Now click Add:

Click OK to return to the New Query box and you'll see the LDAP string:

Click OK to save and run the query:

Now right-click on your query named The Smiths and select Export Query Definition, and export your query as an XML file to My Documents or some other convenient folder. Then double-click on the exported XML file to open it in Internet Explorer:

The stuff between the <ldapquery> and </ldapquery> tags is the string we're interested in. By editing your XML file in Notepad you can modify the LDAP string. For example, let's say you want to find the Joneses in your company instead of the Smiths. To do this, open your XML file in Notepad (make sure Word Wrap is turned off) and change sn=Smith to sn=Jones, then save the modified file as jones.xml.

Now go back to Active Directory Users and Computers, right-click on Saved Queries and select Import Query Definition. Double-click on jones.xml to open it and display the Edit Query box, change the Name and Description fields accordingly, and click OK. You now have a saved query for finding the Joneses.

Additional Resources

While you can learn how to form common LDAP queries by playing around like this, be sure to check out ADO Search Tips, which has a quick introduction to LDAP queries and gives a number of examples you can use to create your own queries. ADO Search Tips is one of a number of useful resources from Hilltop Lab, a helpful site created by Richard Mueller, a Microsoft MVP who haunts the ADSI and Scripting newsgroups on msnews.microsoft.com.

And if you're curious about the 1.2.840.113556.1.4.804 in our query string for finding locked accounts, see KB 269181.